This bug was fixed in the package apparmor - 4.1.0~beta5-0ubuntu15
---------------
apparmor (4.1.0~beta5-0ubuntu15) questing; urgency=medium
* Add patch to allow unprivileged_userns access to root dir
(https://gitlab.com/apparmor/apparmor/-/issues/505):
- d/p/u/unprivileged_userns_rootdir.patch
* Add patch to fix lsblk accesses on IBM System Z systems (LP: #2107402)
and execution from a confined context (LP: #2107455):
- d/p/u/lsblk-s390-fixes.patch
* Add patch to fix execution of various commands from confined contexts
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1637,
backport of the profile fixes and logprof test fix):
- d/p/u/profiles_ensure_access_to_attach_path.patch
* Add patch to include new QtWebEngineProcess execution path in
plasmashell profile (LP: #2107723):
- d/p/u/plasmashell-QtWebEngineProcess-new-path.patch
* Add patch to allow /cvmfs fusermounts
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1587):
- d/p/u/fusermount3_cvmfs.patch
* Add patch to grant OpenVPN DNS accesses (LP: #2107596, LP: #2109029)
- d/p/u/openvpn_dnsfix.patch
* Add patch to expand allowed fusermount3 flags for fuse_overlayfs
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1673)
- d/p/u/fusermount3_allow_more_flags.patch
* Add patch to fix permission denials for iotop-c (LP: #2107727):
- d/p/u/profiles-give-iotop-c-additional-accesses.patch
* Add patch to fix parser handling of norelatime mount flag
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1679):
- d/p/u/parser-fix-handling-of-norelatime-mount-rule-flag.patch
* Add patch to fix incorrect mount rule documentation in the apparmor.d
man page (https://gitlab.com/apparmor/apparmor/-/merge_requests/1674):
- d/p/u/fix-incorrect-mount-flag-apparmor.d-docs.patch
- d/p/u/regression-verify-documented-mount-flag-behavior.patch
* d/p/u/remmina_mr_1348.patch, d/p/u/remmina-dbus-describeall.patch:
move the remmina profile to profiles/apparmor/profiles/extras to
disable it by default (LP: #2102033)
* debian/apparmor.install: remove the remmina profile entry
* debian/apparmor-profiles.install: add an entry for the remmina profile
* debian/apparmor.maintscript: remove the remmina profile upon upgrade
-- Ryan Lee <[email protected]> Wed, 07 May 2025 11:29:02 -0700
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #505
https://gitlab.com/apparmor/apparmor/-/issues/505
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2107596
Title:
Apparmor is missing rule for openvpn to set DNS domain
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
If the remote openvpn server is pushing DNS settings that include a domain,
the "/etc/openvpn/update-resolv-conf" script will fail. The apparmor
settings are missing a rule to allow setting a dns domain.
Error from openvpn:
sd_bus_open_system: Permission denied
Error from apparmor:
audit: type=1107 audit(1744925540.893:328): pid=1907 uid=102 auid=4294967295
ses=4294967295 subj=unconfined msg='apparmor="DENIED"
operation="dbus_method_call" bus="system" path="/org/freedesktop/resolve1"
interface="org.freedesktop.resolve1.Manager" member="SetLinkDomains"
mask="send" name="org.freedesktop.resolve1" pid=10292
label="openvpn//update-resolv" peer_pid=888 peer_label="unconfined"
Thanks for looking into this.
# lsb_release -rd
Description: Ubuntu 25.04
Release: 25.04
# apt-cache policy apparmor
apparmor:
Installed: 4.1.0~beta5-0ubuntu14
Candidate: 4.1.0~beta5-0ubuntu14
Version table:
*** 4.1.0~beta5-0ubuntu14 500
500 http://de.archive.ubuntu.com/ubuntu plucky/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107596/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
